orcus | fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd

Analysis

max time kernel
102s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
Size

1.2MB
MD5

8031ba7c7db878cb3ddd3bf3f9bea80b
SHA1

58bff6171067acc0b51c5c61c04de60b036bbb5c
SHA256

fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd
SHA512

581fa0775baca47a48c4b14f186d085ea8c8f37e52faa516b4bcf5bd4958b3fbde0df8dcd5ed65163a928e58ef1c4ac2938d476920be7fd8e72d90f494658d11
SSDEEP

24576:+2A4MROxnFE30rXpCrZlI0AilFEvxHinYhrpo:+2jMiuepCrZlI0AilFEvxHig

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

127.0.0.1:7436

Mutex

851c13e9b18e43239c52719c67ae474f

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Windows Academy\quard.ai
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
svchost
watchdog_path
AppData\quard.ai

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000194db-41.dat	family_orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000194db-41.dat	orcus

Executes dropped EXE 2 IoCs

pid	Process
2676	WindowsInput.exe
2584	WindowsInput.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Academy\quard.ai	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File opened for modification	C:\Program Files\Windows Academy\quard.ai	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
File created	C:\Program Files\Windows Academy\quard.ai.config	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2536	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2536	AcroRd32.exe
2536	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2776	2524	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	29
PID 2524 wrote to memory of 2776	2524	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	29
PID 2524 wrote to memory of 2776	2524	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	29
PID 2776 wrote to memory of 2408	2776	csc.exe	31
PID 2776 wrote to memory of 2408	2776	csc.exe	31
PID 2776 wrote to memory of 2408	2776	csc.exe	31
PID 2524 wrote to memory of 2676	2524	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	33
PID 2524 wrote to memory of 2676	2524	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	33
PID 2524 wrote to memory of 2676	2524	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	33
PID 2524 wrote to memory of 2052	2524	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	35
PID 2524 wrote to memory of 2052	2524	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	35
PID 2524 wrote to memory of 2052	2524	fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe	35
PID 2052 wrote to memory of 2536	2052	rundll32.exe	36
PID 2052 wrote to memory of 2536	2052	rundll32.exe	36
PID 2052 wrote to memory of 2536	2052	rundll32.exe	36
PID 2052 wrote to memory of 2536	2052	rundll32.exe	36

C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe
"C:\Users\Admin\AppData\Local\Temp\fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v_copwwd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F7D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7F7C.tmp"
    3⤵
    PID:2408
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2676
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files\Windows Academy\quard.ai
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files\Windows Academy\quard.ai"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2536

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Academy\quard.ai

Filesize
1.2MB

MD5
8031ba7c7db878cb3ddd3bf3f9bea80b

SHA1
58bff6171067acc0b51c5c61c04de60b036bbb5c

SHA256
fe27a5091ee443a0f1b5082d2bff21654a75ff029d5ebdaaa80b108d265725cd

SHA512
581fa0775baca47a48c4b14f186d085ea8c8f37e52faa516b4bcf5bd4958b3fbde0df8dcd5ed65163a928e58ef1c4ac2938d476920be7fd8e72d90f494658d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7F7D.tmp

Filesize
1KB

MD5
6b236eba0d39dc2eddcf453611a0ab47

SHA1
461a1694205e36412f5c8842f8cee56582a9c14a

SHA256
b2fe4da6155eb89565607cc14ab28a52656a87601c6dc3fdcf062ae817e174de

SHA512
00248ecde8699b2454755ad5709006869da913988d9c9f8e4b358739c31454548ab0f8cda5dd2a81cf6b82bc337b79a4ab01f225861e45318de426a138bc594f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v_copwwd.dll

Filesize
76KB

MD5
af991fb8f957b65f8e984bbd5c11e2e7

SHA1
1fe8edd42a24ab980a9715297d93b3f3f90ac3e6

SHA256
3bbbe88b06ac3859981677175bcf566c9eb70ab995c475bc18070245beebf5fa

SHA512
f4448d97e83de3009330b2f23f00df15d60f37900a46743a722362c2216964c7b15b0649792571aa069d4f45fa9104207c0fdeb8bb799ddf6220e6cae15eeaf7

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
fd1f5f08fdc765fe01a5ec13cb9c4df9

SHA1
b4424b3a0e24a37cc117500568ebd458a9da1a6a

SHA256
54b1becf61fd25ac76aef33fd4a0833a20ff751961f68aadee4c4e679e84f65f

SHA512
9c19e39f8d9f12f75574cc49fdf55c6bcbdf06f228083e9d313b49f4d374a9918e01c209bc1a84151d29fe34021299c829da4e50fa24663ae27c7aae8e60729c

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7F7C.tmp

Filesize
676B

MD5
e0a71cc2fb0eeccf28bd03bb952963af

SHA1
86959bc2bb00e437c7619fa2588231371798b90c

SHA256
d6dae9e7b6cafc711e3324fd00b29d5a0af064f62269bb11e314bf020c0c6b86

SHA512
725c1815a09571b56b2c9bbc21400ecd1f665abf177209ddd810a99e281792468a5d9c7f4b065da705359f0c1db7fd71b8cf41c768f7bdf6fbb56b04df9ee58b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v_copwwd.0.cs

Filesize
208KB

MD5
250321226bbc2a616d91e1c82cb4ab2b

SHA1
7cffd0b2e9c842865d8961386ab8fcfac8d04173

SHA256
ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d

SHA512
bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v_copwwd.cmdline

Filesize
349B

MD5
9bcdd3ba9e43eba62fae54aba689b6b0

SHA1
53ede35f10c6d07391c2a9f5fb51871f969b75e5

SHA256
278366a3fa7c7c925aedb7863adb6130c32cf19281730f7785ad725709e1ccf3

SHA512
5ef6f09c8a71bd274c3c8c2a1b3dbfb0f32e020609e88949ce1759f38a5c3d1e3d4dc166c76fb8727cc90bbe1db9abee83dc739132edecb7dd2a849c2615903f

Download Submit
memory/2524-31-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2524-23-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2524-2-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2524-20-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2524-4-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2524-22-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2524-17-0x0000000001FD0000-0x0000000001FE6000-memory.dmp

Filesize
88KB

Download
memory/2524-0-0x000007FEF57FE000-0x000007FEF57FF000-memory.dmp

Filesize
4KB

Download
memory/2524-21-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/2524-3-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2524-1-0x0000000001F70000-0x0000000001FCC000-memory.dmp

Filesize
368KB

Download
memory/2524-40-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-37-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2676-33-0x0000000001040000-0x000000000104C000-memory.dmp

Filesize
48KB

Download
memory/2776-42-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2776-19-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download